Here's a kernel patch. The __access_ok macro looks one byte too far and fails. Since copy_mount_options() isn't sure how long the string arguments are, it just copies to the end of the page. Since this is on busybox's stack, the copy wants to go all the way to 0x7FFFFFF and hits this corner case. Quinn Jensen jensenq@lineo.com --- linux-sgi-2.4.0-test11-pristine/include/asm-mips/uaccess.h Wed Oct 4 19:19:02 2000 +++ linux/include/asm-mips/uaccess.h Wed Jan 10 16:20:35 2001 @@ -46,7 +46,7 @@ * - OR we are in kernel mode. */ #define __access_ok(addr,size,mask) \ - (((__signed__ long)((mask)&(addr | size | (addr+size)))) >= 0) + (((__signed__ long)((mask)&(addr | size | (addr+size-1)))) >= 0) #define __access_mask ((long)(get_fs().seg)) #define access_ok(type,addr,size) \
